New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
MEGA.NZ reliable for backups?
lowendtalkxdax
Member
in Help
Does anyone use mega.nz as backup storage and if yes, is the data stored reliably without file corruption (for long periods)?
Or does anyone have bad experiences with their services?
Think I read one person write about file files on their cloud being corrupted over time once but couldn’t find the source anymore. Maybe mistook it with another cloud-storage provider.
Considering using them as a replication to my cloud-backup, as I found a way in getting their 16tb subscription for dirt cheap (Apple AppStore trick, 20cent/tb lol).
This discussion has been closed.
Comments
In my expreince google drive still better for any type of backups.
I used mega with restic years ago. Experience was not good. Every time mega saves active login session, speed was very slow. Google Drive works pretty good for me. I tried OneDrive too. It works but hits API limit pretty quick.
i also got the 16TB plan for next to nothing using in-app purchase in turkish lira
it just idles, same as dropbox and google drive i also got for nothing
I paid for a year of 16TB from them using the app store regional pricing trick for the same reason as you (redundant backup). Despite the "dirt cheap" price, imo it wasn't worth it at all and would rather wish I'd spent the money elsewhere, perhaps on a proper backup solution.
On Linux, you need to install the MEGAcmd suite to do any kind of backup/folder sync, which doesn't work for me at all whenever trying to interact with it, as the process simply freezes in the background.
On Desktop, it's a YMMV situation, sometimes the desktop app works as expected, sometimes the app refuses to launch. Regardless, after a few minutes of trying to backup, the upload simply stalls out to 0 kb/s. I still haven't been able to upload my ~300gb local backup folder after two months.
On Mobile, I configured my iOS app to backup my camera roll, surprise surprise, after it uploads a few photos, it simply stops. It doesn't upload in the background nor in the foreground, the app is completely useless. Downloading files from the app doesn't work either. Google Photos is 1000% better, and you can get a cheap Google Drive subscription using the same trick, albeit not as cheap.
And good luck on getting the web version working. It takes 20 minutes to decrypt the web drive, and then interacting with it is sluggish at best, until it forces you to refresh the page to wait for another 20 minutes.
Overall, Mega is simply a pain to use and a cheap rabbit hole where you'll never be able to take advantage of the full 16TB. I rate it a 2/10 solution and would advise anyone to stay far away, and perhaps use Google Drive or a cheap storage VPS instead. Currently, I'm only using a few gigs on folder sync, which was the only slightly reliable feature (if Mega manages to launch on startup fine). Though once you sync a folder, I couldn't find a way to delete it from the cloud.
Anyways, maybe your experience with Mega would be different than mine, so if you can't pass out on the cheap cheap price, perhaps try it with a smaller plan for a month first, before wasting your money away on a full year commitment.
Thanks for the deep insight! Going to spend my money somewhere else then
.
i just tried it out with rclone. works great
Ok first for 1 month 4€ won’t hurt haha. Gonna take a look and decide if keep or leave after 1 month. Just need to get the data back on emergency, otherwise it’s just setup once and forget.
How much did you pay for it? I'd love to take it from your hands and give it a go.
It was around $32 USD/year for 16 TB, absolutely cheap. Though, I'm not in the business of selling my account sorry, since payment is tied to my apple ID and it has personal files that are impossible to delete.
The method is basically paying in app with Turkey Apple ID w/ Turkish credit card (a must), don't know if they recently increased the price or not.
Sadly rclone still doesn't support Mega's 2FA, which is a must for me given the sensitive data that's stored on it.
Appreciate your note. I didn't realize it would be tied to applied.
I have nothing with Turkish IDs/ cards... so guess it's out of my reach any way.
Thnx
You don't need Turkish ID. You just need your payment country set to Turkey. The Turkish card can just be Turkish App Store gift cards. I purchased mine from Eneba.
However, a clean Apple ID is recommended, and therefore you need an Apple device.
https://www.eneba.com/apple-apple-itunes-gift-card-100-try-itunes-key-turkey
I used NAS drives
You don't need 2FA if your password is completely random. There are very few attacks that work against a completely random password but not against 2FA. In essence TOTP 2FA is the same thing as having an additional password, just one that you never need to directly send to the server (the server stores it in plaintext though).
Also, obviously encrypt your data before uploading, don't just trust Mega's encryption algorithms.
Hmm. I dun have any apple device rn. Any other alternative? Thnx
2FA is mandatory for increased overall data safety habits. It does not end up in single provider. You set up 2FA everywhere you can. A form of habit.
Saying a strong, randomized password can replace 2FA is simply not true. 2FA provides a second layer of security in addition to a plain text password. A password can (relatively) easily be compromised through various means, be it phishing/social engineering attack, database leak, or even a MiTM attack. Having 2FA adds another factor of authentication which mitigates the scenario where your account gets fully compromised due to the hacker getting hold of your username and password. So the best practice should definitely be to have a strong, randomized password and have 2FA enabled.
And yes of course, you should always encrypt your data first before uploading to any cloud storage.
This. So much. If the supposedly sensitive data got put onto the internet in clear text 2FA is really not that big of a deal.
mega.nz without 2fa but with rclone and crypt for emergency-backup-storage only, without the need of retrieving files until all other backup-solutions fail, only upload in the background
should be fine as long as file corruption doesn’t hit the files x)
If you can be phished for a password, you can be phished for a 2FA token. Yes, they only last 30 seconds, but that's hardly an issue for an attacker.
How about this: most websites that have an API allow you to generate an API key which also bypasses any kind of 2FA. Treat your password as an API Key for Mega.nz. Don't use their web interface when possible, use a password manager so you don't get phished and don't type your password in anywhere else.
It's really not hard. Saying that you need 2FA if you already have a 256-bit random hex password is just silly.
Also, I'd like to also point out that if your data is encrypted with a sensible cipher (e.g. AES 256), even with access to their account there's nothing an attacker could do to access the data beyond just deleting it, which would be pretty useless for them to do.
First of all, TOTP isn't the only 2FA method out there. But considering TOTP, sure it's possible to phish the temporary passcode as well, but they remain two separate components, meaning there's double the chance for the user to catch the phishing attempt.
More importantly, phishing isn't the only form of attack to get your password. Mega may suffer a database breach (what if pw stored plain text?), you may be caught between a MiTM attack, your password manager may get compromised, the possibilities are endless. Even with a God-strength password, once your password gets compromised, it won't protect you any good—which is exactly what 2FA is there to prevent.
You make a comparison with password to API key. Do note that, a well designed API limits the key to a certain scope and can only perform upon these assigned actions, while a more secure API also has the ability to issue IP address restrictions and enforces an expiry/renewal period. Password authentication definitely doesn't have these security features. What you're suggesting is an unrestricted, unlimited global API key—these are inherently insecure and should always be avoided whenever possible.
Furthermore, encrypting your data simply isn't enough, as compromised data is not the same as compromised account. Sure, your data may be safe, but there may be sensitive information that you may wish to keep from an attacker: your full name, address, phone number, etc., and they will be able to perform action on your behalf: charge more subscription with your saved payment method, store potentially illegal content on your account, etc. When it comes to opsec, it's better to be doubly safe than to rely on a single point of failure.
I don't think you know how TOTP works. To implement TOTP authentication you need to store the secret in plaintext in a database. Research more into how TOTP works, it's just a second password that you don't send directly to the server.
If Mega's database was compromised so are by definition all of your files and all of the personal data that you've given them. Your TOTP secret would also be compromised obviously.
If you successfully MITM'd a user who was using Mega, you'd have their authentication token (cookie) which would give you full access to their account anyway.
If your password manager was compromised, they'd have the ability to run arbitrary code as an extension in your browser. They could just access any website with your browser and get all of the information they need. TOTP does not stop them.
Please, name any attack that you can successfully do against a 256 bit random password protected system that you can't also do against a Password + TOTP system.
This is just false information
What part of it is false?
You know what, let me just explain TOTP clear this up:
TOTP is in fact a very simple algorithm. When you scan the QR code to enable 2FA, that QR code has a random secret key embedded into it. Both the server and your 2FA app stores that key, in either plaintext or reversible encryption (we're gonna ignore HSM storage for now because basically nobody uses that right now). For all intents and purposes, storing your secret key in reversible encryption is the same as storing your key in plaintext for a server -- there are very few cases where an attacker has access to the database but not the source code.
This will be oversimplified and there are some additional details for how TOTP actually works (google it, its called a HMAC), but to explain it in a way that is easier for people here to understand we can imagine it as simply the formula
Take6Digits(SHA256(secretKey + currentTime)). Since we want to give a 30 second interval of code changing, the current time is rounded to the nearest 30 seconds instead. Thus every 30 seconds the value ofSHA256(secretKey + currentTime)changes! When you submit the code to a server, the server does the same operation and checks whether the two values are the same.But you see how a 2FA is just a random password right? The only difference is that the key is only transmitted once, but as I've explained above if you could somehow MITM traffic of a person using a web app, you would also have access to their cookies anyway which would give you full access to their account...
Only username, no password, no 2fa is insecure, obviously, guess username, in
Username + easy password can be easily bruteforced
Username + hard password used to be ok, but can easily be compromised by phishing, keylogging, access to your password vault, e.g. chrome
Username + easy password + 2fa on separate device = impossible to hack unless the hacker manages to physically get close to you and knock you out or threatens you with a gun/blackmail, but then you have other more serious problems to deal with x)
(Or he manages to hack all of your devices lol)
Btw, sms is less secure than totp and passkeys, as they are NOT encrypted and can be intercepted (clear-text) by anyone in your neighborhood, e.g. your friendly neighbor or some hacker inside car near your house
I've addressed every single one of those attacks above.
A keylogger is just a program running on your computer, if an attacker had a program running on your computer they'd just steal your cookies directly.
Rarely see useful information on let.
I have an old account with them since probably 2013 or 2014 (when free accounts were getting 50 GB of space).
Everything's fine except one thing below.
I haven't heard anything like that, but I believe I have something like "Undecrypted folder" in my account.
Unfortunately, I have no idea what is that, as I don't have anything critically important there and don't login too frequently. Hence no way to recall what is missing.
I didn't investigate deep, but on the internets they say this is related to sharing and further changes without properly applied permissions.
On Windows the app always worked smoothly for me, no issues.
However I never had more than 50 GB in my account (free one).
At the same time I was using the app when I needed to up/down a lot of data (basically a targeted exchange), so 50 GBs were uploaded/downloaded multiple times.
Also I used some older version of Mega Sync. Do not recall why I was using that particular version, but probably because it was MegaSync portable.
I mostly use their web interface, but again, my amounts of data aren't that large.
I haven't tried rclone with Mega, but for many other providers it offers encrypted uploads, i.e. uploading data, which is encrypted already (by you). Doesn't that work with Mega?